Tuesday, February 21, 2012

For a few days now I'm checking various Chrome extensions code looking for vulnerabilities (see also the first post of the series). There are many. Most of them due to lazy programming (ignoring even the Google docs on the subject), some are more subtle, coming from poor design decisions.

As for the risk impact though, there are catastrophic vulnerabilities. This is just a sample of what code is committed to Chrome Web Store and can be downloaded as a Google Chrome extension.

How would you like an XSS on google.com?

Chrome extensions can alter the contents of a webpage you're navigating (if they have the permission for the URL). In web security, what is the worst thing you might do when altering HTML document on-the-fly? Of course, XSS. Even if the page itself is totally safe from XSS, an addon might introduce it (it's similar to just entering javascript:code()in address bar) and the page cannot possibly defend from it (more or less).

Google documentation about Chrome extensions warns about this exact threat. But, as it turns out, seeing is believing, so there you go. Let me tell you about some minor extension (196 users as of now, which is the only reason why I'm 0daying now) that allowed me to XSS Google.

So every node in the document, when its HTML contains 'http://codereview.chromium.org/', gets linkified (linkifying is converting http://anything to <a href="http://anything">anything</a>)and reinserted it into the DOM using innerHTML.
Which smells like XSS.

Exploitation

Manipulating any node in Google Reader to start with http://codereview.chromium.org and having the XSS payload bypassing linkify engine is very simple. In Google Reader search box just start searching for:

A lot of extensions request access to your browser X, Y, & Z... but since you (the user) wants to use the provided functionality in the extension, we all click "OK". Just from those notifications, it is still unclear WHY the extension needs those access permissions, or WHAT the extension might be doing with that access.

How can we know/understand more about this process? Where is the source path of the extension & should we just be looking at the source code (assuming dev experience).

Theres a little bit about these scary warnings and what they mean on a section of Google Code's website, but its written more towards extension authors than end users. http://code.google.com/chrome/extensions/permission_warnings.html

I was actually annoyed by the very same thing, so I wrote an extension, the 'CRX Inspector', to address the issue. It'll let you browse the source code of extensions without making you install them first. Look it up in web store if you like.

As for the XSS vulnerabilities: the disturbing thing is, that small unpopular extensions built by ignorant amateurs are *not* the only ones you'll find them in. I've found several in hugely popular ones - including AdBlock and a number of 'by Google' extensions. Sloppy coding practices, e.g. the use of innerHTML, are putting millions of users at risk.